Passage through parliament looks uncertain for a government bill that would criminalise the re-identification of public sector datasets released under open data policies.
The Senate Legal and Constitutional Affairs Legislation Committee tonight tabled its report on the government’s Privacy Amendment (Re-identification Offence) Bill 2016. Although the committee’s majority recommends that the bill be passed, a dissenting report by its Labor and Greens members calls for parliament to reject the proposed legislation.
Attorney-General George Brandis in September last year announced that the government would introduce legislation to criminalise re-identification. The motivation behind the sudden announcement became clear when a group of Melbourne University researchers revealed that data made public by the Department of Health had been improperly de-identified.
The department was forced to pulled offline datasets it had released based on the Pharmaceutical Benefits and Medicare Benefits schemes (PBS/MBS). The government’s bill would retrospectively criminalise re-identification to the date of Brandis’ initial announcement.
The government’s bill prompted concern from cyber security experts and digital rights advocates that it could hamper legitimate security research.
The researchers who discovered the flaws in the health department’s de-identification process — Vanessa Teague, Chris Culnane and Benjamin Rubinstein — argued in a submission to the Senate inquiry that the “threat of criminal penalties” — up to two years’ prison — “could inhibit open investigation, which could mean that fewer Australian security researchers find problems and notify the government”.
As a result, “Criminals and foreign spy agencies will be more likely to find them first,” the researchers argued.
The government has sought to assuage concerns, including provisions in the bill to exempt some research from its scope. However, in many cases it will be up to the responsible minister to set out what individual organisations or classes of organisations will be exempt from the ban on re-identification, and what conditions will be imposed on them.
In addition, the bill reverses the burden of proof, putting the onus on researchers to prove that the re-identification of a dataset is covered by one of the exemptions.
The committee majority rejected concerns over criminalising research, arguing that in its view “researchers employed by States and Territories (which includes most universities) will not fall within the scope of the Privacy Act” — and thus not be captured by the bill.
“Additionally,” the report states, “the bill has exclusions for agencies in connection with their functions and activities or authorised by law, for contracted service providers for the purpose of meeting an obligation under a Commonwealth contract and for entities in accordance with an agreement between the entity and the responsible agency.”
The report adds: “Moreover, the committee is reassured by the consultation process the [Attorney-General’s Department] will put in place to ensure that researchers not connected to universities will have an opportunity to be considered within a class of entities subject to the Minister’s exemption determination powers.”
The dissenting report backed by Labor and Greens senators argued that the bill takes a “punitive approach” to security researchers and research conducted in the public interest. By contrast, it notes, “government agencies that publish poorly de-identified information do not face criminal offences and are not held responsible”.
It adds that although the Privacy Act does not apply to most universities, “the implications of the bill are not clear for researchers at the Australian National University, students, and individuals acting on their own initiative who happen to be university employees.”
An individual who re-identifies their own information could be caught up in the bill’s punitive regime, the dissenting report says.
“The bill discourages research conducted in the public interest as well as open discussion of issues which may have been identified,” the senators argue.
The full report is available online.